216.73.217.22

Inside Tycoon2FA: How a leading AiTM phishing kit operated at scale

· Published 04/03/2026 19:42 · Modified 05/03/2026 09:48

Export JSON

Essential information

Published
04/03/2026 19:42
Modified
05/03/2026 09:48
Tags
2026-03-04 adversary-in-the-middle credential-theft evasion techniques multifactor authentication bypass phishing-as-a-service session token interception tycoon2fa
Related entities
9 observables, 1 intrusion sets (apt), 17 techniques (mitre), 1 malware, 13 others

Description

emerged as a prominent platform in August 2023, enabling large-scale campaigns targeting over 500,000 organizations monthly. Developed by Storm-1747, it provided capabilities to bypass multifactor authentication. The kit allowed impersonation of trusted brands like Microsoft 365 and Gmail, intercepting session cookies and credentials. It employed sophisticated including anti-bot screening, browser fingerprinting, and custom CAPTCHAs. 's infrastructure evolved to use diverse, short-lived domains and complex redirect chains. Its success stemmed from closely mimicking legitimate authentication processes while covertly intercepting user credentials and session tokens.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (9)

  • https://kzagniw.es/LI6vGlx7@1wPztdy
  • https://astro.thorousha.ru/vojd4e50fw4o!g/$ENCODED
  • https://immutable.nathacha.digital/T@uWhi6jqZQH7/#?EMAIL_ADDRESS
  • https://mysql.vecedoo.online/JB5ow79@fKst02/#EMAIL_ADDRESS
  • https://backend.vmfuiojitnlb.es/CGyP9!CbhSU22YT2/
  • https://piwf.ariitdc.es/kv2gVMHLZ@dNeXt/$EMAIL_ADDRESS
  • https://q9y3.efwzxgd.es/MEaap8nZG5A@c8T/*EMAIL_ADDRESS
  • https://mock.zuyistoo.today/pry1r75TisN5S@8yDDQI/$EMAIL_ADDRESS
  • https://qonnfp.wnrathttb.ru/Fe2yiyoKvg3YTfV!/$EMAIL_ADDRESS

Intrusion sets (APT) (1)

  • Storm-1747
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:19 · Modified 21/12/2025 19:19

Techniques (MITRE) (17)

  • T1078
    Valid Accounts
  • T1185
    Browser Session Hijacking
  • T1056
    Input Capture
  • T1584
    Compromise Infrastructure
  • T1110
    Brute Force
  • T1528
    Steal Application Access Token
  • T1550
    Use Alternate Authentication Material
  • T1566
    Phishing
  • T1589
    Gather Victim Identity Information
  • T1606
    Forge Web Credentials
  • T1114
    Email Collection
  • T1592
    Gather Victim Host Information
  • T1098
    Account Manipulation
  • T1059
    Command and Scripting Interpreter
  • T1087
    Account Discovery
  • T1590
    Gather Victim Network Information
  • T1140
    Deobfuscate/Decode Files or Information

Malware (1)

  • Tycoon2FA
    Family
    Published 04/03/2026 19:42 · Modified 04/03/2026 19:42

Others (13)

  • Finance
  • Education
  • Healthcare
  • Government
  • mock.zuyistoo.today
  • qonnfp.wnrathttb.ru
  • immutable.nathacha.digital
  • q9y3.efwzxgd.es
  • mysql.vecedoo.online
  • astro.thorousha.ru
  • backend.vmfuiojitnlb.es
  • piwf.ariitdc.es
  • kzagniw.es

External references